I have a situation where an application has to encrypt/decrypt some credit card data, each encryption key (it could be symmetric or private asymmetric) has to be in two separate places, managed by different people. One person cannot have access to any part of the key and the ciphertext it decodes at once. The application is a Windows service, it will have to have access to the whole key and the ciphertext in order to work on/process the decrypted data.

How can I make sure the server administrator (we use VMs) does not have access to both the key and ciphertext, but since it's an admin account it will have full control over the VM (and thus the service)?

PCI requirements are documented in several different standards available at pcisecuritystandards.org For example, the “secure software standard version 1.0” is a specific standard with dozens of control objectives and test requirements. Which standard document/version and which objective are you attempting to comply with here? I’ve often found that PCI requirements get “garbled” between internal compliance teams (who read them) and developers (who usually don’t).
– Darrell RootDec 11 '19 at 5:48